Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more - not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. Not to mention best practices guidelines, which are practically absent.
This is probably the most exhaustive and up to date training regarding BLE security - for both pentesters and developers. Compressing years of painful debugging and reversing into practical, useful checklists. Based on hands-on exercises on real devices (including multiple smart locks) as well as a deliberately vulnerable, training hackmelock.

NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used for buildings today. Among other practical exercises performed on real installations, the attendees will reverse an example hotel access system, and as a result will be able to open all the doors in facility.

With prevalence of NFC smartphones, a new implementation of this technology is recently gaining attention: mobile contactless payments/access control. Using combination of cloud services and mobile security, it is now possible to embed credit card (or NFC key to a lock) in your phone. Is the technology as robust as advertised? How to check its security, and how to implement it correctly? Find out during practical exercises, including step by step guide on how to bypass security mechanisms and clone a contactless payment card,

Each attendee will receive worth over 300 EUR hardware pack including among others Proxmark 3, a rooted Android smartphone and Raspberry Pi (detailed below). The hardware will allow for BLE analysis (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analyse BLE or NFC mobile applications, and practice most of the training exercises later at home.

Detailed agenda

Day 1

Bluetooth Smart (Low Energy)

Based on about 10 various smart locks, beacons, mobile PoS, banking token, various other devices, and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).

Theory introduction

What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?

NFC

Comprising of hands-on exercises on a real access control installations and mobile payment applications.
Every time a student succeeds in bypassing access control system (e.g. cloning a card), a specially prepared box will automatically unlock, and allow to collect a delicious prize.

Short introduction

RFID/NFC - where do I start?

frequencies, card types, usage scenarios

how to recognize card type - quick walkthrough

equipment, and what can you do with it - mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware